Segment routing with fast reroute for container networking

ABSTRACT

Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation and claims priority to, U.S.Non-Provisional patent application Ser. No. 16/138,595, filed on Sep.21, 2018, the full disclosure of which is hereby expressly incorporatedby reference in its entirety.

TECHNICAL FIELD

The subject matter of this disclosure relates in general to the field oftelecommunications networks, and more particularly, to systems andmethods for segment routing with fast reroute in a container network.

BACKGROUND

Network operators are increasingly deploying containers for developingsoftware in continuous integration and continuous delivery (Cl/CD)environments and running distributed applications and microservices inprivate networks, public clouds, or both (e.g., hybrid clouds ormulti-clouds). Containers are an example of operating-system-levelvirtualization. Containers can be self-contained execution environmentsthat have their own isolated CPU, memory, input/output (I/O), andnetwork resources and share the kernel of a host operating system.Containers can be isolated from one other and from their hosts (physicalor virtual servers). For example, they can have their own file systems.They may have no visibility into each other's processes. Their computingresources (e.g., processing, storage, networking, etc.) can be bounded.Containers can be easier to build and configure than virtual machines,and because containers can be decoupled from their underlyinginfrastructure and from host file systems, they can be highly portableacross various clouds and operating system distributions. However,containers can introduce additional complexities for networking.

BRIEF DESCRIPTION OF THE FIGURES

To provide a more complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 illustrates an example of a network in accordance with anembodiment;

FIG. 2 illustrates an example of a container orchestration platform inaccordance with an embodiment;

FIG. 3A and FIG. 3B illustrate examples of a segment routing packet inaccordance with an embodiment;

FIGS. 4A-4D illustrate examples of segment routing in accordance with anembodiment;

FIGS. 5A-5D illustrate examples of segment routing with fast reroute inthe event a container pod is unreachable in accordance with anembodiment;

FIGS. 6A-6F illustrate examples of segment routing in accordance with anembodiment;

FIGS. 7A-7E illustrate examples of segment routing with fast reroute inthe event a server is unreachable in accordance with an embodiment;

FIG. 8 illustrates an example of a process for enabling segment routingwith fast reroute in the event that a container pod or host isunreachable in accordance with an embodiment; and

FIGS. 9A and 9B illustrate examples of systems in accordance with someembodiments.

DESCRIPTION OF EXAMPLE EMBODIMENTS

The detailed description set forth below is intended as a description ofvarious configurations of embodiments and is not intended to representthe only configurations in which the subject matter of this disclosurecan be practiced. The appended drawings are incorporated herein andconstitute a part of the detailed description. The detailed descriptionincludes specific details for the purpose of providing a more thoroughunderstanding of the subject matter of this disclosure. However, it willbe clear and apparent that the subject matter of this disclosure is notlimited to the specific details set forth herein and may be practicedwithout these details. In some instances, structures and components areshown in block diagram form in order to avoid obscuring the concepts ofthe subject matter of this disclosure.

Overview

Systems and methods provide for segment routing (SR) with fast reroutewhen a container or set of containers (e.g., pod) or container/pod hostbecomes unreachable. An SR ingress device (e.g., a physical or virtualswitch, router, or host) can receive a packet (e.g., IPv6) from a firstcontainer/pod in a first host (e.g., a physical or virtual server) anddestined for a container service (e.g., a cluster of containers/pods).The SR ingress device can generate an SR packet including a segment listand the original packet. The segment list can include a first segment orsegment identifier (SID) to a second host including a secondcontainer/pod of the service, a second segment or SID to a third hostingincluding a third container/pod of the service, and a third segment orSID to the container service. The SR ingress device can forward the SRpacket to a first SR egress device corresponding to the first segment orSID. The first SR egress device can determine whether the secondcontainer/pod and/or host is reachable. If so, the first SR egressdevice can forward the SR packet to the second host or the originalpacket (after de-encapsulation) to the second container/pod. If not, thefirst SR egress device can perform a fast reroute and forward the SRpacket to a second SR egress device corresponding to the.

Example Embodiments

One way of deploying containers in a network is to utilize a containerorchestration platform. A container orchestration platform can includeone or more masters that may operate as the controller for containers inthe network and one or more worker nodes that may carry out thenetwork's workloads. The container orchestration platform can alsosupport clustering of container hosts (e.g., physical or virtualservers) that may perform the same or similar functionalities (sometimesreferred to as a container service). Current implementations ofcontainer networks assign a network address (e.g., ClusterIP) to eachcontainer service, and then install Network Address Translation (NAT)rules at each container host to map from the container service addressto the network address of a specific container or container pod in thecontainer host. An alternative approach can be to tunnel traffic betweenan ingress host to an egress host and to retain the container serviceaddress as the inner destination IP address in the tunnel. Someembodiments of the present disclosure may utilize Segment Routing overIPv6 data plane (SRv6) for the tunneling mechanism. This can provide thevarious benefits of segment routing, such as increased networksimplification, programmability and scalability, and flexibility.

Segment routing can provide control over forwarding paths using simplenetwork instructions. In addition, segment routing does not requireadditional protocols and may even remove unnecessary protocols in somedeployments to further simplify a network.

Segment routing does not require path signaling such that only SRingress devices may need to maintain per-flow state. This can increasenetwork flexibility while reducing cost. In addition, path can beexpressed uniquely as a set of segments, and there is no need for routeinjection. This architecture can be highly scalable since the SR-capabledevice may only have to store the exact paths it needs.

An SR path can be based on best effort inter-domain reachability or forService Level Agreement (SLA) reachability. Segment routing can also beused to steer traffic along any arbitrary path in a network. This canallow network operators to enforce low-latency and/or disjoint paths,regardless of normal forwarding paths. SR can achieve this flexibilitywithout any additional signaling or midpoint fabric-state.

Segment routing can also support fast reroute in the event a containerservice or container host becomes unreachable. Current implementationsof a container network may be slow to detect the unavailability of acontainer service and/or container host and/or to reprogram the network.Various embodiments of the present disclosure can overcome these andother deficiencies of the prior art using segment routing to encodemultiple segments to a container service for fast reroute to a secondaryroute in the event in the event the container service and/or containeris unreachable along a primary route.

FIG. 1 illustrates an example of a network 100 for implementing variousembodiments of the present disclosure. It should be understood that, forthe network 100 and any network discussed herein, there can beadditional or fewer nodes, devices, links, networks, or components insimilar or alternative configurations. Embodiments with differentnumbers and/or types of clients, networks, nodes, cloud components,servers, software components, devices, virtual or physical resources,configurations, topologies, services, appliances, deployments, ornetwork devices are also contemplated herein. Further, the network 100can include any number or type of resources, which can be accessed andutilized by clients or tenants. The illustrations and examples providedherein are for clarity and simplicity.

The network 100 can include a network fabric 102, a Layer 2 (L2) network104, an L3 network 106, a network controller 108, compute resources 110Aand 110B (collectively, “110”), storage resources 112, and L4-L7services 114. The network fabric 102 can include spine switches 116A and116B (collectively, “116”) and leaf switches 118A, 118B, 118C, 118D, and118E (collectively, “118”). The spine switches 116 can connect to theleaf switches 118 in the network fabric 102. The leaf switches 118 caninclude access ports (or non-fabric ports) and fabric ports. The fabricports can provide uplinks to the spine switches 116, while the accessports can provide connectivity to endpoints (e.g., the compute resources110, the storage resources 112, the L4-L7 services, etc.), internalnetworks (e.g., the L2 network 104), or external networks (e.g., the L3network 106).

The leaf switches 118 can reside at the edge of the network fabric 102,and can thus represent the physical network edge. For instance, in someembodiments, the leaf switches 118D and 118E can operate as border leafswitches in communication with edge routers 120A and 120B located in theexternal network 106. The border leaf switches 118D and 118E may be usedto connect any type of external network device, service (e.g., firewall,deep packet inspector, traffic monitor, load balancer, etc.), or network(e.g., the L3 network 106) to the fabric 102.

Although the network fabric 102 is illustrated and described herein as aleaf-spine architecture, one of ordinary skill in the art will readilyrecognize that various embodiments can be implemented based on anynetwork topology, including any data center or cloud network fabric.Indeed, other architectures, designs, infrastructures, and variationsare contemplated herein. For example, the principles disclosed hereinare applicable to topologies including three-tier (including core,aggregation, and access levels), fat tree, mesh, bus, hub and spoke,etc. In some embodiments, the leaf switches 118 can be top-of-rackswitches configured according to a top-of-rack architecture. In otherembodiments, the leaf switches 118 can be aggregation switches in anyparticular topology, such as end-of-row or middle-of-row topologies. Insome embodiments, the leaf switches 118 can also be implemented usingaggregation switches.

Moreover, the topology illustrated in FIG. 1 and described herein isreadily scalable and may accommodate a large number of components, aswell as more complicated arrangements and configurations. For example,the network may include any number of fabrics 102, which may begeographically dispersed or located in the same geographic area. Thus,network nodes may be used in any suitable network topology, which mayinclude any number of servers, virtual machines or containers, switches,routers, appliances, controllers, gateways, or other nodesinterconnected to form a large and complex network. Nodes may be coupledto other nodes or networks through one or more interfaces employing anysuitable wired or wireless connection, which provides a viable pathwayfor electronic communications.

Network communications in the network fabric 102 can flow through theleaf switches 118. In some embodiments, the leaf switches 118 canprovide endpoints (e.g., the compute resources 110 or the storageresources 112, etc.), services (e.g., the L4-17 services 114), internalnetworks (e.g., the L2 network 104), or external networks (e.g., the L3network 106) access to the network fabric 102, and can connect the leafswitches 118 to each other. In some embodiments, the leaf switches 118can connect endpoint groups (EPGs) to the network fabric 102, internalnetworks (e.g., the L2 network 104), and/or any external networks (e.g.,the L3 network 106). EPGs are groupings of applications, or applicationcomponents, and tiers for implementing forwarding and policy logic. EPGscan allow for separation of network policy, security, and forwardingfrom addressing by using logical application boundaries. EPGs can beused in the network 100 for mapping applications in the network. Forexample, EPGs can comprise a grouping of endpoints in the network 100indicating connectivity and policy for applications.

As discussed, the compute resources 110 can connect to the networkfabric 102 via the leaf switches 118. For example, the compute resources110A can connect directly to the leaf switches 118A and 118B, which canconnect the compute resources 110A to the network fabric 102 and/or anyof the other leaf switches. The compute resources 110B and storageresources 112 can connect to the leaf switches 118B and 118C via the L2network 104. The compute resources 110B, storage resources 112, and theL2 network 104 make up a local area network (LAN). LANs can connectnodes over dedicated private communications links located in the samegeneral physical location, such as a building or campus.

The WAN 106 can connect to the leaf switches 118D or 118E via the edgerouters 120. WANs can connect geographically dispersed nodes overlong-distance communications links, such as common carrier telephonelines, optical light paths, synchronous optical networks (SONET), orsynchronous digital hierarchy (SDH) links. LANs and WANs can include L2and/or L3 networks and endpoints.

The Internet is an example of a WAN that connects disparate networksthroughout the world, providing global communication between nodes onvarious networks. The nodes typically communicate over the network byexchanging discrete frames or packets of data according to predefinedprotocols, such as the Transmission Control Protocol/Internet Protocol(TCP/IP). In this context, a protocol can refer to a set of rulesdefining how the nodes interact with each other. Computer networks maybe further interconnected by an intermediate network node, such as arouter, to extend the effective size of each network. The endpoints caninclude any communication device or component, such as a computer,server, blade, hypervisor, virtual machine, container, process (e.g.,running on a virtual machine), switch, router, gateway, host, device,external network, etc.

In some embodiments, the network 100 may connect to external networks ofpublic cloud providers via the WAN 106 for additional compute, storage,and/or network resources in an architecture sometimes referred to as ahybrid cloud or multi-cloud. A hybrid cloud can include the combinedcompute, storage, and/or network resources of a private network or cloud(e.g., the network 100) and a public cloud to perform workloads of anoperator of the network 100. A multi-cloud can combine compute, storage,and/or network resources of a private cloud with the resources ofmultiple public cloud providers.

In this example, the network controller 108 is implemented using theApplication Policy Infrastructure Controller (APIC™) from CiscoSystems®, Inc. (Cisco®). The APIC™ can provide a centralized point ofautomation and management, policy programming, application deployment,and health monitoring for the fabric 102. Here, the APIC™ can operate asa replicated synchronized clustered controller. In other embodiments,other configurations or software-defined networking (SDN) platforms canbe utilized for managing the fabric 102.

Compute resources 110 can comprise hosts, including physical or baremetal servers, virtual machines, and/or containers, for runningapplications of the operator of the network 100. In some embodiments, aphysical server may have instantiated thereon a hypervisor for creatingand running one or more virtual machines. Some virtual machines may hostone or more containers. In other embodiments, physical servers may run ashared kernel for hosting containers (e.g., bare metal containers). Inyet other embodiments, physical servers can run other software forsupporting other virtual partitioning approaches. Networks in accordancewith various embodiments may include any number of physical servershosting any number of virtual machines, containers, or other virtualpartitions. Hosts may also comprise blade/physical servers withoutvirtual machines, containers, or other virtual partitions.

Storage resources 112 can comprise various technologies for storing thedata of the operator of the network 100. Storage media can include harddisk drives (HDDs), solid state drives (SSD), hybrid storage arrays thatincorporate Flash memory and HDDs, and/or other media. The storageresources can be organized as direct attached storage (DAS), networkattached storage (NAS), storage area networks (SANs), or other storageinfrastructure.

The L4-L7 services 114 can provide networking services for the network100, such as network address translation (NAT), firewalling, InternetProtocol Security (IPSec), session border control (SBC), deep packetinspection (DPI), traffic monitoring, load balancing, etc. The L4-L7services 114 can be implemented in hardware as physical appliancesand/or in software using general-purpose CPUs (e.g., virtual applianceswithin virtual machines and/or containers). In this example, the networkcontroller 108 can provide automatic service insertion based on policiesdefined by the network operator. The controller 108 can use L4-L7service graphs (e.g., ordered sets of service function nodes between aset of endpoints and set of network service functions specified for anapplication) to push the needed configuration and security policies tothe fabric 102, the L4-L7 services 114, and other infrastructurecomponents of the network 100.

As seen in FIG. 1, containers play an increasingly important role in amodern network. Containers can be used to modernize a data center bypackaging existing applications into containers to improve utilizationof computing resources and reduce costs. Due to their portability,containers can also simplify different cloud migration strategies, suchas hybrid cloud or multi-cloud architectures. Containers can alsopromote modern development strategies, such as continuous integration,delivery, and deployment (Cl/CD), because of their isolated nature androbustness to rapidly changing environments. In addition, containers arelightweight by design and ideal for enabling microservices, whetherbuilding new microservices, or refactoring monolithic applications intosmaller services.

FIG. 2 illustrates an example of a container orchestration platform 200for managing containers in a network (e.g., the network 100). One ofordinary skill in the art will understand that, for the containerorchestration platform 200 and any system discussed in the presentdisclosure, there can be additional or fewer component in similar oralternative configurations. The illustrations and examples provided inthe present disclosure are for conciseness and clarity. Otherembodiments may include different numbers and/or types of elements butone of ordinary skill the art will appreciate that such variations donot necessarily depart from the scope of the present disclosure.

In this example, the container orchestrator platform 200 can correspondto the Kubernetes® (K8s) system from the Cloud Native ComputingFoundation®. Kubernetes® is an open source container orchestrationsystem for automating deployment, scaling, and management of applicationcontainers across clusters of hosts. However, other embodiments maydeploy other container orchestration platforms, such as Docker Swarm®from Docker®, Inc., Apache Mesos® from the Apache® Software Foundation,or other container orchestrator without departing from the scope of thepresent disclosure.

The container orchestration platform 200 can comprise one or moreclusters. A cluster is a collection of compute, storage, and networkingresources that the container orchestration platform 200 can use to runthe various workloads of a network. Each cluster can comprise one ormore hosts (physical servers and/or virtual machines). Here, master 202and worker nodes 220A and 220B (collectively, “220”) can represent asingle cluster. In this example, there is one master 202 but otherembodiments may include multiple masters to provide high availability.

The master 202 can provide a control plane for a cluster. The master 202can be responsible for the global, cluster-level scheduling of pods (setof one or more containers) and the handling of events (e.g., starting upa new pod when additional computing resources are needed). The master202 can include an Application Programming Interface (API) server 204, acontroller manager 206, a scheduler 208, and a distributed Key Value(KV) store 210. The master components can run on any host in the clusterbut usually run on the same (physical or virtual) machine without workernodes.

The API server 204 (e.g., kube-apiserver) can operate as the front-endof the control plane, and can expose the API (e.g., Kubernetes API) ofthe container orchestration platform 200. The API server 204 can scalehorizontally (e.g., scale by deploying more instances) as it can bestateless and store data in the distributed KV store 210.

The controller manager 206 (e.g., kube-controller-manager,cloud-controller-manager) can be a collection of various managers rolledup into one binary. The controller manager 206 can include a nodecontroller, replication controller, endpoints controller, servicecontroller, volume controller, and others. The node controller can beresponsible for noticing and responding when nodes go down. Thereplication controller can be responsible for maintaining the correctnumber of pods for every replication controller in the system. Theendpoints controller can populate endpoints (e.g., pods). The servicecontroller can be responsible for creating, updating, and deletingnetwork services (e.g., firewalling, load balancing, deep packetinspection, etc.). The volume controller can be responsible forcreating, attaching, and mounting volumes.

The scheduler 208 (e.g., kube-scheduler) can be responsible forscheduling pods into nodes. This can involve evaluation of resourcerequirements, service requirements, hardware/software policyconstraints, node affinity and anti-affinity specifications, podaffinity and anti-affinity specifications, data locality, and deadlines,among other factors.

The distributed KV store (e.g., etcd) 210 is a high-availabilitydistributed data store. The container orchestration platform 200 can usethe distributed KV store 210 to store cluster state information. In asmall, short-lived cluster, a single instance of the KV store 210 canrun on the same host as other master components, but for largerclusters, the distributed KV store 210 may comprise a cluster of hosts(e.g., 3-5 nodes) for redundancy and high availability.

Worker nodes 220 can maintain running pods and provide a runtimeenvironment (not shown) for the container orchestration platform 200.The container runtime can be responsible for running containers (e.g.,Docker®, rkt from CoreOS®, Inc., runC from the Open ContainerInitiative™, etc.). Each of the worker nodes 220 can correspond to asingle host, which can be a physical or virtual machine. Each workernode 220 can include an agent 222 (e.g., kubelet) and a networkinterface 224 (e.g., kube proxy, Open vSwitch (OVS)/Contiv netplugin,etc.).

The agent 222 can run on each node 220 in a cluster and ensure thatcontainers (e.g., containers 228A, 228B, 228C, etc. (collectively,“228”)) are running in a pod (e.g., pods 226A, 226B, 226C, etc.(collectively, 226)). The agent 222 can oversee communications with themaster 202, including downloading secrets from the API server 204,mounting volumes, reporting the status of the node 220 and each pod 226.

A pod is the unit of work in the container orchestration platform 200.Pods can help to manage groups of closely related containers that maydepend on each other and that may need to cooperate on the same host toaccomplish their tasks. Each pod 226 can include one or more containers228. Pods can be scheduled together and run on the same machine. Thecontainers 228 in each pod 226 can have the same IP address and portspace; they can communicate using localhost or standard inter-processcommunication. In addition, the containers 228 in each pod 226 can haveaccess to shared local storage on the node 220 hosting the pod. Theshared storage can be mounted on each container 228.

The network interface 224 can be responsible for container networking,including low-level network housekeeping on each node, reflection oflocal services, TCP and UDP forwarding, finding cluster IPs throughenvironmental variables or Domain Name System (DNS). In someembodiments, the container orchestration platform 200 may employ anetworking model that relates how the nodes 220, pods 226, andcontainers 228 interact with one another, such as ensuring thatcontainers can communicate with other containers without NAT, nodes cancommunicate with containers (and vice-versa) without NAT, and the IPaddress that a container sees itself as is the same IP address thatothers see it as. This networking model can assign IP addresses at thepod level such that containers within a pod share an IP address and portspace. This networking model can also enable containers within a pod toreach other containers' ports on localhost.

The container orchestration platform 200 can enable intra-nodecommunication or pod-to-pod communication within the same node via localfilesystem, any IPC mechanism, or localhost. The container orchestrationplatform 200 can support various approaches for inter-node communicationor pod-to-pod communication across nodes, including L2 (switching), L3(routing), and overlay networking. The L2 approach can involve attachingan L2 network to a node's physical network interface controller (NIC)and exposing the pod directly to the underlying physical network withoutport mapping. Bridge mode can be used to enable pods to interconnectinternally so that traffic does not leave a host unless necessary. TheL3 approach may not use overlays in the data plane, and pod-to-podcommunication can happen over IP addresses leveraging routing decisionsmade by node hosts and external network routers. Pod-to-podcommunication can utilize Border Gateway Protocol (BGP) peering to notleave the host, and NAT for outgoing traffic. An overlay approach canuse a virtual network that may be decoupled from the underlying physicalnetwork using tunneling technology (e.g., Virtual Extensible LAN(VXLAN), Generic Routing Encapsulation (GRE), Segment Routing (SR),etc.). Pods in the virtual network can find each other via tunneling. Inaddition, L2 networks can be isolated from one another, and L3 routingcan be utilized for inter-node pod-to-pod communication.

In some embodiments, the container orchestration platform 200 cansupport labels and selectors. Labels are key-value pairs that can beused to group together sets of objects, such as pods. Labels can also beused to specify attributes of objects that may be meaningful andrelevant to network users. There can be an N×N relationship betweenobjects and labels. Each object can have multiple labels, and each labelmay be applied to different objects. Each label on an object may have aunique key. The label key can include a prefix and a name. The prefixcan be optional. If the prefix exists, it can be separated from the nameby a forward slash (/) and be a valid DNS subdomain. The prefix and thename can have specified maximum lengths (e.g., 253 and 63 characters,respectively). Names can start and end with an alphanumeric character(a-z, A-Z, 0-9) and include alphanumeric characters, dots, dashes, andunderscores in between. Values can follow the same restrictions asnames.

Label selectors can be used to select objects based on their labels, andmay include equality-based selectors and set-based selectors. Equality(and inequality) based selectors can allow for selection of objects bykey name or value. Matching objects must satisfy specified equality (=or ==) or inequality (!=) operators. Set-based selectors can enableselection of objects according to a set of values, including objectsthat are “in” or “notin” the set or objects having a key that “exists.”An empty label selector can select every object in a collection. A nulllabel selector (which may only be possible for optional selector fields)may select no objects.

In some embodiments, the container orchestration platform 200 maysupport container services. A container service is an abstraction whichdefines a logical set of pods and a policy by which to access them. Theset of pods targeted by a container service can be determined by a labelselector. Services can be published or discovered through DNS orenvironment variables. Services can be of different types, such as aClusterIP, NodePort, LoadBalancer, or ExternalName. A ClusterIP canexpose a container service on a cluster-internal IP such that thecontainer service may only be reachable from within the cluster. ANodePort can expose a container service on each node's IP at a staticport. A ClusterIP container service, to which the NodePort containerservice may route, can be automatically created. The NodePort containerservice can be contacted from outside the cluster by requesting<NodeIP>:<NodePort>. A LoadBalancer can expose a container serviceexternally using a cloud provider's load balancer. NodePort andClusterIP container services, to which the external load balancerroutes, may be automatically created. An ExternalName can map acontainer service to the contents of a specified Canonical Name (CNAME)record in the DNS.

As discussed, current implementations of the control plane in acontainer network may be slow to detect overloading or failure of acontainer pod or node and/or to reroute traffic from the overloaded orunreachable container pod or node. However, by utilizing Segment Routing(SR), source SR devices (e.g., physical or virtual switches, routers, orhosts, etc.) can encode multiple SR routes or policies to forwardtraffic and enable immediate re-routing of the traffic in the event ofoverloading or failure of a container pod or node.

Segment Routing is a source routing architecture in which a sourcechooses a path or route (also sometimes referred to as an SR Policy) andencodes it in a packet header as an ordered list of instructionsreferred to as segments. Segments can represent any instruction in atopology or service. For example, packets can be forwarded along theshortest path from the source along a first segment to a first segmentendpoint (e.g., a physical or virtual switch, router, or host), thenthrough the shortest path from the first segment endpoint along a secondsegment to a second segment endpoint, and so on. SR has been implementedfor at least two data planes: Multiprotocol Label Switching (MPLS) andIPv6. Segment Routing over IPv6 data plane (SRv6) can be realizedthrough the Segment Routing Header (SRH).

FIG. 3A illustrates an example of an SRH 320 within an SRv6 packet 300.The SRv6 packet 300 can also include a payload 360 and an IPv6 header350. The SRH 320 can include a Next Header 322, a Header ExtensionLength 324, a Routing Type 326, a Segments Left 328, a Last Entry 330,Flags 332, a Tag 334, a Hash-based Message Authentication Code (HMAC)336, and a Segment List 340. The Next Header 322 can identify the typeof header immediately following the SRH 320. The Header Extension Length324 can indicate the length of the SRH 320. The Routing Type 326 canidentify a particular Routing header variant. The Segments Left 328 canindicate the number of route segments remaining (e.g., the number ofexplicitly listed intermediate SRv6-capable devices still to be visitedbefore reaching the final destination). The Last Entry 330 can indicatethe index of the last element of the Segment List 340. The Flags 332 caninclude packet metadata, such as a cleanup flag for stripping the SRH320 from a packet and other metadata. The Tag 334 can label a packet asa part of a class or group of packets (e.g., packets sharing the sameset of properties). The HMAC information 336 can be optional, and mayinclude a type (e.g., 1 octet), length (e.g., 1 octet), reserved bits(e.g., 2 octets), HMAC Key ID (e.g., 4 octets), and HMAC (e.g., 32octets).

The Segment List 340 can comprise a set of SRv6 segments 342A . . . 342N(collectively, “342”). The SRv6 segments 342 are sometimes referred toby their Segment Identifiers (SIDs). The SRv6 segments 342 can comprise128 bit values representing a topological instruction (e.g., node orlink traversal) or an operator-defined instruction (e.g., virtualfunction). The Segment List 340 can be encoded starting from the lastsegment of the SR route or policy. That is, the first element of theSegment List (Segment List [0]) may correspond to the last segment ofthe SR route or policy, the second element (Segment List [1]) maycorrespond to the penultimate segment of the SR route or policy, and soon. The Segment List 340 can be used to steer packets through paths withgiven properties (e.g., bandwidth or latency) and through variousnetwork functions (e.g., firewall, load balancer, IPSec, etc.).

When an SRv6-capable device (e.g., physical or virtual switch, router,or server) adds the SRH 320 to a packet, the packet can be encapsulatedby an outer IPv6 header (e.g., the IPv6 header 350) and the SRH 320, andthe original packet can be left unmodified as the payload 360. ThisSRv6-capable device may be referred to as the SR ingress device. ADestination Address 354 of the outer IPv6 header 350 can be set to thefirst segment or SID 342, and the packet may be forwarded to thecorresponding segment endpoint following the shortest path. The segmentendpoint can process the packet by updating the Destination Address 354to the next segment and decrementing the Segments Left 328. The segmentendpoint of the penultimate segment of the Segment List 340 may bereferred to as the SR egress device or segment endpoint. The SR egressdevice or segment endpoint can de-encapsulate the inner packet (e.g.,the payload 360) and forward the packet to its final destination.

In some embodiments, direct or inline SRH insertion may be used insteadof encapsulation. In direct or inline SRH insertion, the SRH 320 can beinserted directly immediately after the IPv6 header 350. This can resultin less overhead than encapsulation but may be more susceptible todisruptions in the event of network errors. For example, an InternetControl Message Protocol (ICMP) message generated for a packet modifiedby direct or inline SRH insertion can reach the original source of thepacket but may not be aware of the inserted SRH.

The IPv6 header 350 can include a Source Address 352 and the DestinationAddress 354. The Source Address 352 can identify the source of thepacket 300. As discussed, the Destination Address 354 can identify thenext segment or node from the Segment List 340. The Destination Address354 in the IPv6 header 350 can allow the packet 300 to be routed even ifthe packet 300 traverses devices that do not support SRv6. TheDestination Address 354 can include a network prefix of the identifiedsegment endpoint or segment. This can ensure that the packet 300 istransmitted to that segment endpoint or segment. After the packet 300 isprocessed by a segment endpoint, the segment endpoint can forward thepacket 300 to the next segment in the Segment List 340. When forwardingthe packet, the segment endpoint can overwrite the Destination Address354 on the IPv6 header 350 to identify the next segment endpoint orsegment. The next segment endpoint can then receive the packet 300 basedon the Destination Address 354. In this manner, the Segment List 340 inthe SRH 320 and the Destination Address 354 in the IPv6 header 350 canbe used to push the packet 300 to its final destination.

In addition to forwarding addresses, the Destination Address 354 and/orSegment List 340 can include functions or commands (“SR functions”) tobe executed by associated segment endpoints or segments. SR functionscan encode actions to be taken by a segment endpoint directly in asegment 342 of the Segment List 340 and/or the IPv6 header 350. SRfunctions may be executed locally by SRv6-capable devices.

FIG. 3B illustrates how SR functions may be encoded within the DA 354 orsegment 342. The most significant bits of the encoding can make up alocator 344 for routing a packet to a particular segment endpoint. Theleast significant bits can make up an SR function 346 to be performed bythe segment, and, if any, arguments 348 (e.g., 32 bits) for thefunction. The number of bits allocated for the locator 344, SR function346, and arguments 348 may be locally determined by each segmentendpoint. For example, one segment endpoint may allocate 80 bits for thelocator 344, 16 bits for the function 346, and 32 bits for the arguments348. Another segment endpoint may allocate 64 bits for the locator 344,32 bits for the function 346, and 32 bits for the arguments 348.

Table 1 sets forth an example set of SR functions. However, one ofordinary skill will understand that this set of functions is notexhaustive. For instance, any function can be attached to a local SIDbecause an SRv6-capable device can bind an SID to a local virtualmachine or container which can apply any complex function on the packet.

TABLE 1 Example Segment Routing Functions Name Function End Endpointfunction (SRv6 instantiation of a prefix SID) End.X Endpoint functionwith Layer-3 cross-connect (SRv6 instantiation of an Adjacency SID)End.T Endpoint function with specific IPv6 table lookup End.PSPPenultimate Segment Pop of the SRH End.X.PSP End.T.PSP End.USP UltimateSegment Pop of the SRH End.X.USP End.T.USP End.DX2 Endpoint withdecapsulation and Layer-2 cross- connect (L2VPN use-case) End.DX2VEndpoint with decapsulation and VLAN L2 table lookup (EVPN Flexiblecross-connect use-cases) End.DT2U Endpoint with decaps and unicast MACL2 table lookup (EVPN Bridging unicast use-cases) End.DT2M Endpoint withdecapsulation and L2 table flooding (EVPN Bridging BUM use-cases withESI filtering) End.DX6 Endpoint with decapsulation and IPv6 cross-connect (IPv6 L3VPN use; equivalent of a per-CE VPN label)) End.DX4Endpoint with decapsulation and IPv4 cross- connect (IPv4 L3VPN use;equivalent of a per-CE VPN label) End.DT6 Endpoint with decapsulationand IPv6 table lookup (IPv6 L3VPN use; equivalent of a per-VRF VPNlabel) End.DT4 Endpoint with decapsulation and IPv4 table lookup (IPv4L3VPN use; equivalent of a per-VRF VPN label) End.DT46 Endpoint withdecapsulation and IP table lookup (IP L3VPN use; equivalent of a per-VRFVPN label) End.B6 Endpoint bound to an SRv6 policy (SRv6 instantiationof a Binding SID) End.B6.Encaps Endpoint bound to an SRv6 encapsulationPolicy (SRv6 instantiation of a Binding SID) End.BM Endpoint bound to anSR-MPLS Policy (SRv6/SR-MPLS instantiation of a Binding SID) End.REndpoint in search of an SID in table T End.S Endpoint in search of atarget in table T End.AS SR-unaware application via static proxy End.AMSR-unaware application via masquerading T Transit behavior T.InsertTransit behavior with insertion of an SRv6 policy T.Insert.Red Transitbehavior with reduced insert of an SRv6 policy T.Encaps Transit behaviorwith encapsulation in an SRv6 policy T.Encaps.Red Transit behavior withreduced encaps in an SRv6 policy T.Encaps.L2 T.Encaps behavior of thereceived L2 frame T.Encaps.L2.Red Transit with reduce encaps of receivedL2 frame

FIGS. 4A-4D illustrate an example of an IPv6 packet traversing a networkfabric 402 (e.g., the network fabric 102 of FIG. 1) and how SRv6 can beused for source routing the packet. One of ordinary skill willunderstood that, for any processes discussed herein, there can beadditional, fewer, or alternative steps performed in similar oralternative orders, or in parallel, within the scope of the variousembodiments unless otherwise stated.

FIG. 4A shows an initial state of IPv6 packet 404A generated by acontainer pod 426A (e.g., the container pods 226 of FIG. 2) within anode 410A (e.g., the compute resources 110 of FIG. 1 or the worker nodes220 of FIG. 2) that is intended for transmission to a container servicelabeled SVC:svc1. The packet 404A can include an IPv6 header 450A (e.g.,the IPv6 header 350 of FIG. 3) having a Source Address (SA)corresponding to the node 410A and the pod 426A (e.g., nodeA:podA) and aDestination Address (DA) corresponding to the container service labeledSVC:svc1. The packet 404A can also include a payload 460 (e.g., thepayload 360 of FIG. 3). The container pod 426A can transmit the packet404A to a vSwitch 424A (e.g., the network interfaces 224 of FIG. 2) ofthe node 410A.

In this example, vSwitches 424A, 424B, and 424C (collectively, “424”)can be SRv6-capable devices. Network devices (not shown) in the networkfabric 102 may or may not be SRv6-capable devices. Network devices thatdo not support SRv6 may be referred to as non-SR transit devices (e.g.,devices that forward an IPv6 packet where the DA of that packet is notlocally configured as a segment nor a local interface). Non-SR transitdevices do not need to be capable of processing a segment nor SRH.

In some embodiments, a network can utilize binding segments or BindingSIDs (BSIDs) for segment routing. A BSID can be bound to an SR Policy,instantiation of which may involve a list of SIDs. Packets received bySRv6-capable devices with an active segment equal to the BSID can besteered onto the bound SR Policy. Use of a BSID can instantiate thepolicy (the SID list) on the SR-capable devices that need to impose thepolicy. Thus, direction of traffic to an SR-capable device supportingthe policy may only require imposition of the BSID. If the policychanges, this can also mean that only the SR-capable devices imposingthe policy may need to be updated.

A BSID may be either a local SID or a global SID. If the BSID is local,the BSID can be allocated from an SR Local Block (SRLB). The SRLB is alocal property of an SRv6-capable device. If the SRv6-capable deviceparticipates in multiple SR domains, there can be one SRLB for each SRdomain. The SRLB can comprise a set of local IPv6 addresses reserved forlocal SRv6 SIDs.

An SR domain can include the set of SRv6-capable devices participatingin the source-based routing model. These devices may be connected to thesame physical infrastructure (e.g., a service provider's network). Thesedevices may also be connected to each other remotely (e.g., via anenterprise Virtual Private Network (VPN) or overlay network). Ifmultiple protocol instances are deployed, the SR domain can include allof the protocol instances in the network. However, some deployments maysubdivide the network into multiple SR domains, each of which caninclude one or more protocol instances.

If the BSID is global, the BSID can be allocated from an SR Global Block(SRGB). The SRGB is the set of global segments in the SR Domain. If anSRv6-capable device participates in multiple SR domains, there can beone SRGB for each SR domain. The SRGB can include the set of global SRv6SIDs in the SR Domain.

SRv6 can support various types of control planes for associatingSRv6-capable devices with BSIDs, including distributed, centralized, orhybrid control planes. In a distributed scenario, the segments can beallocated and signaled by routing protocols such as Intermediate Systemto Intermediate System (IS-IS), Open Shortest Path First (OSPF), BorderGateway Protocol (BGP), etc. An SR-capable device can individuallydecide to steer packets on a source-routed policy, and the SR-capabledevice can individually compute the source-routed policy.

In a centralized scenario, the segments can be allocated andinstantiated by one or more SR controllers (e.g., the network controller108 of FIG. 1). The SR controller(s) can decide which SR-capable devicesneed to steer which packets on which source-routed policies, and the SRcontroller(s) can compute the source-routed policies. The SRcontroller(s) can use various technologies for programming the network,such as Network Configuration Protocol (NETCONF), Path ComputationElement Protocol (PCEP), and BGP, among others. The SR controller(s) candiscover which SIDs are instantiated at which SR-capable devices andwhich sets of local labels (e.g., stored in the SRLB) and global labels(e.g., stored in the SRGB) are available at which SR-capable device.

A hybrid scenario can complement a base distributed control plane withone or more centralized controllers. For example, when the destinationis outside an Interior Gateway Protocol (IGP) domain, SR controller(s)may compute a source-routed policy on behalf of an IGP device. Inaddition, as hosts can also be part of an SR domain, the SRcontroller(s) can inform hosts about policies by pushing these policiesto the hosts or responding to requests from the hosts.

FIG. 4B shows an SR Policy 410 associated with the vSwitch 424A forproviding Fast Reroute (FRR) in the event of a failure or overloading ofa container pod or node. The SR Policy 410 can include a BSID 412binding the container service SVC:svc1 to a Segment List 414. Asdiscussed, the SR Policy 410 can be associated with the vSwitch 424A invarious ways, such as by a distributed model using routing protocols(e.g., IS-IS, OSPF, BGP, etc.), one or more centralized networkcontrollers (e.g., the network controller 108 of FIG. 1), or a hybridapproach.

The Segment List 414 can include segments or SIDs nodeB:End.S, nodeC:End.X.PSP, and SVC:svc1. The first segment or SID, nodeB:End.S, canrepresent a primary SR path or route to the container service SVC:svc1;the second segment or SID, nodeC:End.X.PSP; can represent a secondary SRpath or route to the container service SVC:svc1; and the third segmentor SID, SVC:svc1, can represent the intended destination. The firstsegment or SID may include a locator (e.g., the locator 344 of FIG. 3B),nodeB, and a function (e.g., the function 346 of FIG. 3B), End.S. TheEnd. S function can involve determining whether the last SID in aSegment List is reachable. For example, a segment endpoint executing theEnd.S function can search for whether there is an entry in a local SIDtable (also sometimes referred to as a Forwarding Information Base(FIB)) for the last SID. If so, the segment endpoint can de-encapsulatethe packet and forward onto the last SID. If not, the segment endpointcan perform SRH processing on the next SID. Table 2 sets forth anexample of an implementation of the End. S function.

TABLE 2 Pseudo-code for the Endpoint in search of a target in table Tfunction (End.S) 1. IF NH=SRH and SL=0 2. drop the packet 3. ELSE IFmatch(last SID) in specified table T 4. de-encapsulate 5. IPv6 forward6. ELSE 7. process the next SID 8. END IF

The second segment or SID includes a locator, nodeC, and a function,End.X.PSP. The End.X function can involve decrementing a Segments Leftfield (e.g., the Segments Left 328), updating the DA in the IPv6 headerwith the active segment or SID (e.g., SRH[SL]), and forwarding onto theinterface or next hop corresponding to the active segment or SID. ThePenultimate Segment Pop (PSP) variant of the End.X function can involvepopping the SRH. Table 3 sets forth an example of an implementation ofthe End.X function, and Table 4 sets forth an example of animplementation for the PSP variant. Additional example implementationsof other SR functions can be found in Clarence Filsfils et al., “SRv6Network Programming.” Internet-Draftdraft-filsfils-spring-srv6-network-programming-05, Internet EngineeringTask Force, July 2018, which is fully incorporated herein by reference.

TABLE 3 Pseudo-code for the Endpoint with Layer-3 cross-connection(End.X) function 1. IF NH=SRH and SL > 0 2. decrement SL 3. update theIPv6 DA with SRH[SL] 4. forward to layer-3 adjacency bound to the SID S5. ELSE 6. drop the packet 7. END IF

TABLE 4 Pseudo-Code for PSP variant of the End, End.X, and End.Tfunctions After the instruction ‘update the IPv6 DA with SRH[SL]’ isexecuted, the following instructions can be added: 1. IF updated SL = 02. de-encapsulate 3. IPv6 forward 4. END IF

In the example of FIG. 4B, the vSwitch 424A can operate as the SRingress device. Upon receiving the IPv6 packet 404A (as shown in FIG.4A), the vSwitch 424A can search an SID table (e.g., SRLB or SRGB) forthe original DA (e.g., SVC:svc1), match the original DA to the BSID 412,and insert an SRH 420α including the Segment List 414 and a value of 2for the Segments Left field (e.g., SL=2). As discussed, the vSwitch 424Acan encapsulate the packet 404A with an outside IPv6 header 450B and theSRH 420α, and leave the packet unmodified as the payload 460.Alternatively, the vSwitch 424A can insert the SRH 420α inline betweenthe IPv6 header 450B and the payload 460. In addition, the vSwitch 424Acan set the DA in the IPv6 header 450B to the first segment or SID ofthe Segment List 414 (e.g., nodeB:End.S). The state of the packet afterSR processing by the vSwitch 424A is shown as SRv6 packet 404B. ThevSwitch 424A can forward the packet 404B onto the first segment or SID.

FIG. 4C shows the state of the SRv6 packet 404C after traversing thenetwork fabric 402 and before the vSwitch 424B of the node 420B receivesit. As discussed, networking devices (not shown) in the network fabric402 do not necessarily need to support SRv6 and can use the DA of theIPv6 header 450C to forward the packet and leave it unchanged, as shownin packet 404C. If these networking devices do support SRv6 but aretraversed because, for example, they form the shortest path to a segmentendpoint, they may be referred to as SR transit devices. SRv6 supportsvarious routing algorithms, including Shortest Past First, StrictestShortest Past First, among numerous others. If these devices do notsupport SRv6, they may be referred to as non-SR transit devices.

FIG. 4D shows a local SID table 430 for the vSwitch 424B. Upon receivingthe packet 404C (as shown in FIG. 4C), the vSwitch 424B can perform theEnd.S function (an example of an implementation of which is set forth inTable 2) and determine that there is an entry in its FIB for the lastsegment or SID (e.g., SVC:svc1) and that the container pod 426B isreachable within the node 410B. The vSwitch 424B can eitherde-encapsulate the SRv6 packet (e.g., remove the outer IPv6 and SRheaders) and forward the de-encapsulated packet to the container pod426B or remove the SR header, update the DA of the IPv6 header 450D tothe last segment or SID, and forward the IPv6 packet to the containerpod 426B. The state of the packet after SR processing by the vSwitch424B is shown as IPv6 packet 404D.

FIGS. 5A-5D illustrate an example of an IPv6 packet traversing a networkfabric 502 (e.g., the network fabric 102 of FIG. 1) and how SRv6 can beused for fast reroute of the packet in the event of a failure oroverloading of a container pod or node. FIG. 5A shows a first state ofIPv6 packet 504A and a second state of the packet, encoded as SRv6packet 504B, after transmission from a container pod 526A (e.g., thecontainer pods 226 of FIG. 2) of a node 510A (e.g., the computeresources 110 of FIG. 1 or the worker nodes 220 of FIG. 2) to thenetwork fabric 502 via a virtual switch 524A (e.g., the networkinginterfaces 224 of FIG. 2) of the node 510A and just before the packetarrives at a virtual switch 524B of a node 510B. The current state ofthe packet may be similar to the state of the packet 404C of FIG. 4C.For example, the SRv6 packet 504B can include an IPv6 header 550B havingan SA corresponding to the node 510A and container pod 526A (e.g.,nodeA:podA) and a DA including a locator (e.g., the locator 344 of FIG.3B) corresponding to the node 510B (e.g., nodeB) and a function (e.g.,the function 346 of FIG. 3B) End.S. The SRv6 packet 504B can alsoinclude an SRH 520α (e.g., the SRH 320 of FIG. 3A) having a Segment List(e.g., the Segment List 340 of FIG. 3A) comprising segments or SIDs(e.g., the segments 342 of FIGS. 3A and 3B) nodeB:End.S,nodeC:End.X.PSP, and SVC:svc1, and a value of 2 for Segments Left (e.g.,the Segments Left 328 of FIG. 3A). In addition, the SRv6 packet 504B caninclude a payload 560 (e.g., the payload 360 of FIG. 3), which can be anunmodified IPv6 packet if the packet has been encapsulated or an IPv6payload if direct or inline insertion has been applied to the packet.FIG. 5A also shows a local SID table 530 for the vSwitch 524B with anentry for nodeB:End.S.

However, in this example and unlike the example of FIGS. 4A-4D, acontainer pod 526B of the node 510B has failed, is overloaded, or isotherwise unreachable. Thus, upon the vSwitch 524B receiving the SRv6packet 504B and initiating the End. S function (an example of animplementation of which is set forth in Table 2), the vSwitch 524B mayfail to match the last segment or SID (e.g., SVC:svc1) to an entry inits FIB. As a result, the vSwitch 524B can perform an FRR on the SRv6packet 504B (e.g., process the next segment or SID, nodeC:End.X.PSP).That is, upon detecting that the pod 526B is unreachable, the vSwitch524B can immediately reroute the packet 504B to a secondary path orroute.

FIG. 5B shows a state of SRv6 packet 504C after the vSwitch 524Bperforms the FRR/End.X.PSP function on the packet. For example, thevSwitch 524B can decrement the value of the Segments Left (SL) in theSRH 520β from 2 to 1. In addition, the vSwitch 524B can update the DA inthe IPv6 header 550C to be the next segment in the Segment List of theSRH 520β from nodeB:End.S to nodeC:End.X.PSP. Finally, the vSwitch 524Bcan perform a FIB lookup on the updated DA and forward the packet 504Caccording to the matched entry. In some embodiments, the ingress SRdevice (e.g., the vSwitch 524A) can also be reprogrammed to reflect theunavailability of the container pod 526B, such as to update its SegmentList to include one or more different segments or SIDs (e.g., a newprimary route or path and, optionally, one or more new secondary routesor paths).

FIG. 5C shows a state of SRv6 packet 504D after the packet has traversedthe network fabric 502 and right before a vSwitch 524C of a node 510Creceives the packet. As discussed, the network fabric 502 does notnecessarily need to support SRv6 and instead rely on the DA in IPv6header 550D to forward the packet to the vSwitch 524C. As such, thestate of SRv6 packet 504D can remain unchanged.

FIG. 5D shows a state of IPv6 packet 504E after SR processing by thevSwitch 524C. This can involve performing the End.X.PSP function (e.g.,examples of implementations of which are set forth in Tables 3 and 4) onthe packet. For example, the vSwitch 524C can decrement the SegmentsList from 1 to 0, pop the outer IPv6 header and SRH (if the packet wasencapsulated) or update the DA of an IPv6 header to SVC:svc1 and pop theSRH (if direct or inline insertion was applied to the packet), andperform IPv6 processing on the packet (e.g., forward to an interface ornext-hop corresponding to the container pod 526C).

FIGS. 6A-6F illustrate an example of an IPv6 packet traversing a networkfabric 602 (e.g., the network fabric 102 of FIG. 1) and how SRv6 can beused for source routing the packet. FIG. 6A shows an initial state ofIPv6 packet 604A generated by a container pod 626A (e.g., the containerpods 226 of FIG. 2) within a node 610A (e.g., the compute resources 110of FIG. 1 or the worker nodes 220 of FIG. 2) that is intended fortransmission to a service labeled SVC:svc1. The packet 604A can includean IPv6 header 650A (e.g., the IPv6 header 350 of FIG. 3) having aSource Address (SA) corresponding to the node 610A and the pod 626A(e.g., nodeA:podA) and a Destination Address (DA) corresponding to theservice labeled SVC:svc1. The packet 604A can also include a payload 660(e.g., the payload 360 of FIG. 3). The pod 626A can transmit the packet604A to a vSwitch 624A (e.g., the network interfaces 224 of FIG. 2) ofthe node 610A.

In this example, vSwitches 624A, 624B, and 624C (collectively, “624”)and leaf switches 618A, 618B, and 618C (collectively, “618”) (e.g., theleaf switches 118 in FIG. 1) in the network fabric 602 can beSRv6-capable devices. Spine switches 616A and 616B (collectively, “616”)(e.g., the spine switches 116 in FIG. 1) may or may not be SRv6-capabledevices.

FIG. 6B shows an SR Policy 610 associated with the vSwitch 624A forproviding FRR in the event of a failure or overloading of a containerpod or node. The SR Policy 610 can include a BSID 612 binding the labelSVC:svc1 to a Segment List 614. As discussed, the SR Policy 610 can beassociated with the vSwitch 624A in various ways, such as by adistributed model using routing protocols (e.g., IS-IS, OSPF, BGP,etc.), one or more centralized network controllers (e.g., the networkcontroller 108 of FIG. 1), or a hybrid approach.

The Segment List 614 can include segments or SIDs leafB: End.R,nodeB:End.S, nodeC: End.X.PSP, and SVC:svc1. The first segment mayinclude a locator (e.g., the locator 344 of FIG. 3B), leafB, and afunction (e.g., the function 346 of FIG. 3B), End.R. The End.R functioncan involve determining whether the next segment in the Segment List isreachable. If so, the packet can be processed per the usual SRprocessing (e.g., decrementing Segments Left, updating the DA, andforwarding the packet). If not, the Segments Left can be decreased by 2,the DA can be updated to be the new active segment (e.g., SRH[SL]), andthe packet can be forwarded according to the updated DA. Table 5 setsforth an example of an implementation for the End.R function.

TABLE 5 Pseudo-code for the Endpoint in search of an SID in table Tfunction (End.R)  1. IF NH=SRH and SL < 1  2. drop the packet  3. ELSEIF match (next SID) in specified table T  4. decrement SL  5. update theIPv6 DA with SRH[SL]  6. FIB lookup on the updated DA  7. forwardaccording to the matched entry  8. ELSE  9. decrease SL by 2 10. updatethe IPv6 DA with SRH[SL] 11. FIB lookup on the updated DA 12. forwardaccording to the matched entry 13. END IF

In FIG. 6B, the second segment or SID of the Segment List 614 caninclude a locator, nodeB, and a function, End. S. Table 2 sets forth anexample of an implementation of the End.S function. The third segment orSID can include a locator, nodeC, and a function, End.X.PSP. Table 3sets forth an example of an implementation of the End.X function, andTable 4 sets forth an example of an implementation for the PSP variant.The fourth segment or SID can include a label, locator, or IPv6 addresscorresponding to SVC:svc1.

In this example, the vSwitch 624A can operate as the SR ingress device.After receiving the IPv6 packet 604A (as shown in FIG. 6A), the vSwitch624A may search an SID table (e.g., SRLB or SRGB) for the original DA(e.g., SVC:svc1), match the original DA to the BSD 612, and insert anSRH 620α including the Segment List 614 and a value of 3 for theSegments Left field (e.g., SL=3). As discussed, the vSwitch 624A canencapsulate the packet 604A with an outside IPv6 header 650B and the SRH620α, and leave the packet unmodified as the payload 660. Alternatively,the vSwitch 624A can insert the SRH 620α inline between the IPv6 header650B and the payload 660. In addition, the vSwitch 624A can set the DAin the IPv6 header 650B to the first segment or SID of the Segment List614 (e.g., learn:End.R). The state of the packet after SR processing bythe vSwitch 624A is shown as SRv6 packet 604B. The vSwitch 624A canforward the packet 604B along the shortest path to the leaf switch 618B.

FIG. 6C shows the state of SRv6 packet 604C after the leaf switch 618Ahas forwarded it and before the spine switch 616A receives it. Here, theleaf switch 618A can support SRv6 but may operate as an SR transitdevice that forms a part of the shortest path to the leaf switch 618B.The spine switches 616 in the network fabric 602 do not necessarily needto support SRv6 and can use the DA of the IPv6 header 650C to forwardthe packet and leave it unchanged, as shown in packet 604C. The spineswitches 616 operate as non-SR transit devices if they do not supportSRv6.

FIG. 6D shows the state of SRv6 packet 604D after the spine switch 616Ahas forwarded it and before the leaf switch 618B receives it. Asdiscussed, the spine switch 616A can operate as a non-SR transit deviceand forward the packet 604D on the basis of the IPv6 header 650D. Thespine switch 616A can ignore the SRH 620γ and leave the packet 604Dunchanged from its previous state.

FIG. 6E shows a local SID table 630 for the leaf switch 618B. Uponreceiving the packet 604D (as shown in FIG. 6D), the leaf switch 618Bcan perform the End.R function (an example of an implementation of whichis set forth in Table 5) and determine that there is an entry in its FIBfor the next segment or SID (e.g., nodeB:End.S) and that the node 610Bis reachable. Thus, the leaf switch 618B can decrement the Segments Leftfrom 3 to 2, update the DA of the IPv6 header 650E to the next segmentor SID (e.g., nodeB:End.S), perform a FIB lookup on the updated DA, andforward the packet 604 according to the matched entry. The state of thepacket after SR processing by the leaf switch 618B is shown as SRv6packet 604E.

FIG. 6F shows a local SID table 640 for the vSwitch 624B. Afterreceiving the packet 604E (as shown in FIG. 6E), the vSwitch 624B canperform the End. S function (an example of an implementation of which isset forth in Table 2) and determine that there is an entry in its FIBfor the last segment or SID (e.g., SVC:svc1; to forward to an interfaceor next-hop corresponding to the container pod 626B). The vSwitch 624Bcan either de-encapsulate the SRv6 packet (e.g., remove the outer IPv6and SR headers) and forward the de-encapsulated packet to the containerpod 626B or remove the SR header, update the DA of the IPv6 header 650Fto the last segment or SID, and forward the IPv6 packet to the containerpod 626B. The state of the packet after SR processing by the vSwitch624B is shown as IPv6 packet 604F.

FIGS. 7A-7E illustrate an example of an IPv6 packet traversing a networkfabric 702 (e.g., the network fabric 102 of FIG. 1) and how SRv6 can beused for fast reroute of the packet in the event of a failure oroverloading of a container pod or node. FIG. 7A shows a first state ofIPv6 packet 704A and a second state of the packet, encoded as SRv6packet 704B, after transmission from a container pod 726A (e.g., thecontainer pods 226 of FIG. 2) of a node 710A (e.g., the computeresources 110 of FIG. 1 or the worker nodes 220 of FIG. 2) through avirtual switch 724A (e.g., the networking interfaces 224 of FIG. 2) ofthe node 510A, a leaf switch 718A (e.g., the leaf switches 118 ofFIG. 1) and spine switch 716A (e.g., the spine switches 116 of FIG. 1)of the network fabric 702, and just before the packet arrives at a leafswitch 718B. The current state of the packet may be similar to the stateof the packet 604D of FIG. 6D. For example, the SRv6 packet 704B caninclude an IPv6 header 750B having an SA corresponding to the node 710Aand container pod 726A (e.g., nodeA:podA) and a DA including a locator(e.g., the locator 344 of FIG. 3B) corresponding to the node 710B (e.g.,nodeB) and a function (e.g., the function 346 of FIG. 3B) End.R. TheSRv6 packet 704B can also include an SRH 720α (e.g., the SRH 320 of FIG.3A) having a Segment List (e.g., the Segment List 340 of FIG. 3A)comprising segments or SIDs (e.g., the segments 342 of FIGS. 3A and 3B)leafB:End.R, nodeB:End.S, nodeC:End.X.PSP, and SVC:syc1, and a value of3 for Segments Left (e.g., the Segments Left 328 of FIG. 3A). Inaddition, the SRv6 packet 704B can include a payload 760 (e.g., thepayload 360 of FIG. 3), which can be an unmodified IPv6 packet if thepacket has been encapsulated or an IPv6 payload if direct or inlineinsertion has been applied to the packet. FIG. 7A also shows a local SIDtable 730 for the leaf switch 718 with an entry for nodeB:End.R.

However, in this example and unlike the example of FIGS. 6A-6F, a node710B has failed, is overloaded, or is otherwise unreachable. Thus, afterthe leaf switch 718B receives the SRv6 packet 704B and initiates theEnd.R function (an example of an implementation of which is set forth inTable 5), the leaf switch 718B may fail to match the next segment or SID(e.g., nodeB:End.S) to an entry in its FIB. Accordingly, the leaf switch718B can perform an FRR on the SRv6 packet 704B (e.g., decrease theSegment List by 2, update the IPv6 DA with SRH[SL], FIB lookup on theupdated DA, and forward according to the matched entry). That is, upondetecting that the node 710B is unreachable, the leaf switch 718B canimmediately reroute the packet 704B to a secondary path or route.

FIG. 7B shows a state of SRv6 packet 704C after the leaf switch 718Bperforms the FRR on the packet. For example, the leaf switch 718B candecrease the value of the Segments Left (SL) in the SRH 720β from 3to 1. In addition, the leaf switch 718B can update the DA in the IPv6header 750C to be the new active segment in the Segment List of the SRH720β from leafB:End.R to nodeC:End.X.PSP. Finally, the leaf switch 718Bcan perform a FIB lookup on the updated DA and forward the packet 704Caccording to the matched entry. In some embodiments, the ingress SRdevice (e.g., the vSwitch 724A) can also be reprogrammed to reflect theunavailability of the node 710B, such as to update its Segment List toinclude one or more different segments or SIDs (e.g., a new primaryroute or path and, optionally, one or more new secondary routes orpaths).

FIG. 7C shows the state of SRv6 packet 704D after the spine switch 716Bhas forwarded it and before the leaf switch 718C receives it. Asdiscussed, the spine switch 716B can operate as a non-SR transit deviceand forward the packet 704D on the basis of the IPv6 header 750D. Thespine switch 716B can ignore the SRH 720γ and leave the packet 704Dunchanged from its previous state.

FIG. 7D shows a state of SRv6 packet 704E after the leaf switch 718Cforwards it to a vSwitch 724C of a node 710C. In this example, the leafswitch 718C can support SRv6 and operate as an SR transit device to forma part of the shortest path from the leaf switch 718B to the node 710C.As such, the state of the SRv6 packet 704E can remain unchanged from itsprevious state.

FIG. 7E shows a state of IPv6 packet 704F after SR processing by thevSwitch 724C. This can involve performing the End.X.PSP function (e.g.,examples of implementations of which are set forth in Tables 3 and 4) onthe packet. For example, the vSwitch 724C can decrement the SegmentsList from 1 to 0, pop the outer IPv6 header and SRH (if the packet wasencapsulated) or update the DA of an IPv6 header to SVC:svc1 and pop theSRH (if direct or inline insertion was applied to the packet), andperform IPv6 processing on the packet (e.g., forward to an interface ornext-hop corresponding to the container pod 726C).

FIG. 8 illustrates an example of a process 800 for providing segmentrouting with fast reroute in the event that a container/pod or host isunreachable. The process 800 may begin with an SR ingress device (e.g.,vSwitches 224 of FIG. 2, SRv6 vSwitches 424A of FIGS. 4A-4D, SRv6vSwitches 524A of FIGS. 5A-5D, physical switches 618 of FIGS. 6A-6F,physical switches 718 of FIGS. 7A-7E, etc.) receiving a packet (e.g., anIPv6 packet) from a first container/pod (e.g., the containers 228/pods226 of FIG. 2) in a first host (e.g., the physical or virtual servers110). The packet may be destined for a container service. The containerservice may have a network address associated with multiplecontainers/pods in multiple hosts, including at least a secondcontainer/pod in a second host and a third container/pod in a thirdhost. For example, the network address may be a Kubernetes® ClusterIP,NodePort, LoadBalancer, and/or ExternalName. Examples of this step areshown and discussed with respect to FIGS. 4A, 5A, 6A, and 7A.

The process 800 can proceed to step 804 in which the SR ingress devicemay generate an SR packet that includes the original packet and asegment list. For example, the SR ingress device may be associated witha Binding Segment Identifier (BSID) corresponding to the containerservice that, upon a Destination Address (DA) of the packet matching theBSID, causes the instantiation of the segment list. In some embodiments,a network controller may associate the SR ingress device with the B SIDand determine the segment list. In other embodiments, the SR ingressdevice can individually compute the segment list, such as by routingprotocols (e.g., IS-IS, OSPF, BGP, etc.) and individually impose theBSID.

In some embodiments, the SR ingress device can use encapsulation forgenerating the SR packet. For instance, the SR ingress device can createan outer IPv6 header including a Source Address (SA) corresponding tothe originating host and container/pod and a DA corresponding to thefirst segment or Segment Identifier (SID) of the segment list. The SRingress device can also create a Segment Routing Header (SRH) (e.g., theSRH 320) including SR metadata fields (e.g., Segments Left, Last Entry,Flags, etc.) and the segment list. The SR ingress device can append theouter IPv6 header, the SRH, and the original packet to generate the SRpacket.

In other embodiments, the SR ingress device can use direct or inlineinsertion. For example, the SR ingress device can update the DA of theoriginal packet header (e.g., IPv6 header) to be the first segment orSID of the segment list. Then, the SR ingress device can create the SRHand insert the SRH between the original packet header and originalpacket payload.

The segment list can include at least a first segment or SID to a secondhost including a second container/pod of the container service, a secondsegment or SID to a third host including a third container/pod of thecontainer service, and a third segment or SID to the container service.There can be zero SIDS or one or more SIDS before the first SID, inbetween each of the first, second, and third SIDS, and after the thirdSID. There can be a primary SR egress device and one or more secondarySR egress devices. In some embodiments, the SIDS may comprise locatorscorresponding to SR segment endpoints and SR instructions, such as theSR instructions set forth in Table 1. Examples of step 804 are shown anddiscussed with respect to FIGS. 4B, 5B, 6B, and 7B.

At step 806, the SR packet can be forwarded to a second SR devicecorresponding to the first segment or SID. In some cases, the second SRdevice can be a vSwitch in a second host including a secondcontainer/pod of the container service. That is, the second SR devicecan be an SR egress device. For instance, FIGS. 4B-4C and 5A showexamples of an SR ingress device (e.g., vSwitches 424A and 524A,respectively) forwarding an SRv6 packet (e.g., SRv6 packets 404B/404Cand 504B, respectively) to a first SR egress device (e.g., vSwitches424B and 524B, respectively). In some embodiments, the second SR devicecan be a physical switch adjacent to the second host. For instance,FIGS. 6B-6D and 7A show an SR ingress device (e.g., vSwitches 624A and724A, respectively) forwarding an SRv6 packet (e.g., packets604B/604C/604D and 704B, respectively) to the leaf switch 718B (withleaf switch 718A operating as an SR transit device and the spine switch716A operating as a non-SR transit device). In still other embodiments,there may be one or more segments or SIDS in the segment list before thefirst segment or SID corresponding to the second SR device including thesecond container/pod of the container service.

At decision point 808, the second SR device can determine whether thesecond host and/or second container/pod are reachable. For example, thesecond SR device can perform a lookup in its FIB for a segment or SIDcorresponding to the second host or a segment or SID corresponding tothe second container/pod. As another example, the second SR device canperiodically poll the second host and/or second container/pod todetermine their reachability. As yet another example, the second hostand/or second container may periodically send the second SR deviceheartbeat messages to indicate their reachability.

If the second host and second container/host are reachable, the process800 may continue to step 810, which can include forwarding the SR packetto the second host or the original packet to second container/poddepending whether or not the second SR device is an SR egress device.For example, if the second SR device is an SR egress device, the secondSR device can de-encapsulate the SR packet (or update the DA to be thethird segment and remove the SRH from the SR packet) and forward therecovered original packet to the second container/pod. Examples of theseoperations are shown and discussed with respect to FIGS. 4C-4D. On theother hand, if the second SR device is not an SR egress device, thesecond SR device can decrement the Segments Left, update the DA of theIP header to the new active segment or SID, and forward the SR packet tothe second host. Examples of these operations are shown and discussedwith respect to FIG. 6E. The SR device of the second host (e.g., thevSwitch 624B) can operate as an SR egress device and evaluate whetherthe second container/pod (e.g., the container pod 626B) is reachable,and if so, de-encapsulate the SR packet and forward the de-encapsulatedpacket to the second container/pod as shown and discussed with respectto FIG. 6F.

If the second host and/or second container/pod are unreachable, theprocess may progress to step 812, which can involve rerouting the SRpacket to a third SR device corresponding to the second segment or SIDas shown and discussed, for example, with respect to FIGS. 5B-5C andFIGS. 7B-7D. The third SR device can operate as an SR egress device andcan evaluate whether the third container/pod (e.g., the container pods526B and 72B) is reachable, and if so, de-encapsulate the SR packet andforward the de-encapsulated packet to the third container/pod as shownand discussed with respect to FIGS. 5D and 7E. In some embodiments, thethird host or third container/pod may also be unreachable, and the SRingress device may include an additional segment or SID for fast rerouteto a fourth host including a fourth container/pod of the containerservice. The SR ingress device may include as many additional segmentsor SIDs in the segment list as there are secondary SR egress devicesavailable in the network.

FIG. 9A and FIG. 9B illustrate systems in accordance with variousembodiments. The more appropriate system will be apparent to those ofordinary skill in the art when practicing the various embodiments.Persons of ordinary skill in the art will also readily appreciate thatother systems are possible.

FIG. 9A illustrates an example of a bus computing system 900 wherein thecomponents of the system are in electrical communication with each otherusing a bus 905. The computing system 900 can include a processing unit(CPU or processor) 910 and a system bus 905 that may couple varioussystem components including the system memory 915, such as read onlymemory (ROM) 920 and random access memory (RAM) 925, to the processor910. The computing system 900 can include a cache 912 of high-speedmemory connected directly with, in close proximity to, or integrated aspart of the processor 910. The computing system 900 can copy data fromthe memory 915, ROM 920, RAM 925, and/or storage device 930 to the cache912 for quick access by the processor 910. In this way, the cache 912can provide a performance boost that avoids processor delays whilewaiting for data. These and other modules can control the processor 910to perform various actions. Other system memory 915 may be available foruse as well. The memory 915 can include multiple different types ofmemory with different performance characteristics. The processor 910 caninclude any general purpose processor and a hardware module or softwaremodule, such as module 1 932, module 2 934, and module 3 936 stored inthe storage device 930, configured to control the processor 910 as wellas a special-purpose processor where software instructions areincorporated into the actual processor design. The processor 910 mayessentially be a completely self-contained computing system, containingmultiple cores or processors, a bus, memory controller, cache, etc. Amulti-core processor may be symmetric or asymmetric.

To enable user interaction with the computing system 900, an inputdevice 945 can represent any number of input mechanisms, such as amicrophone for speech, a touch-protected screen for gesture or graphicalinput, keyboard, mouse, motion input, speech and so forth. An outputdevice 935 can also be one or more of a number of output mechanismsknown to those of skill in the art. In some instances, multimodalsystems can enable a user to provide multiple types of input tocommunicate with the computing system 900. The communications interface940 can govern and manage the user input and system output. There may beno restriction on operating on any particular hardware arrangement andtherefore the basic features here may easily be substituted for improvedhardware or firmware arrangements as they are developed.

The storage device 930 can be a non-volatile memory and can be a harddisk or other types of computer readable media which can store data thatare accessible by a computer, such as magnetic cassettes, flash memorycards, solid state memory devices, digital versatile disks, cartridges,random access memory, read only memory, and hybrids thereof.

As discussed above, the storage device 930 can include the softwaremodules 932, 934, 936 for controlling the processor 910. Other hardwareor software modules are contemplated. The storage device 930 can beconnected to the system bus 905. In some embodiments, a hardware modulethat performs a particular function can include a software componentstored in a computer-readable medium in connection with the necessaryhardware components, such as the processor 910, bus 905, output device935, and so forth, to carry out the function.

FIG. 9B illustrates an example architecture for a conventional chipsetcomputing system 950 that can be used in accordance with an embodiment.The computing system 950 can include a processor 955, representative ofany number of physically and/or logically distinct resources capable ofexecuting software, firmware, and hardware configured to performidentified computations. The processor 955 can communicate with achipset 960 that can control input to and output from the processor 955.In this example, the chipset 960 can output information to an outputdevice 965, such as a display, and can read and write information tostorage device 970, which can include magnetic media, solid state media,and other suitable storage media. The chipset 960 can also read datafrom and write data to RAM 975. A bridge 980 for interfacing with avariety of user interface components 985 can be provided for interfacingwith the chipset 960. The user interface components 985 can include akeyboard, a microphone, touch detection and processing circuitry, apointing device, such as a mouse, and so on. Inputs to the computingsystem 950 can come from any of a variety of sources, machine generatedand/or human generated.

The chipset 960 can also interface with one or more communicationinterfaces 990 that can have different physical interfaces. Thecommunication interfaces 990 can include interfaces for wired andwireless LANs, for broadband wireless networks, as well as personal areanetworks. Some applications of the methods for generating, displaying,and using the technology disclosed herein can include receiving ordereddatasets over the physical interface or be generated by the machineitself by the processor 955 analyzing data stored in the storage device970 or the RAM 975. Further, the computing system 950 can receive inputsfrom a user via the user interface components 985 and executeappropriate functions, such as browsing functions by interpreting theseinputs using the processor 955.

It will be appreciated that computing systems 900 and 950 can have morethan one processor 910 and 955, respectively, or be part of a group orcluster of computing devices networked together to provide greaterprocessing capability.

For clarity of explanation, in some instances the various embodimentsmay be presented as including individual functional blocks includingfunctional blocks comprising devices, device components, steps orroutines in a method embodied in software, or combinations of hardwareand software.

In some embodiments the computer-readable storage devices, mediums, andmemories can include a cable or wireless signal containing a bit streamand the like. However, when mentioned, non-transitory computer-readablestorage media expressly exclude media such as energy, carrier signals,electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implementedusing computer-executable instructions that are stored or otherwiseavailable from computer readable media. Such instructions can comprise,for example, instructions and data which cause or otherwise configure ageneral purpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.Portions of computer resources used can be accessible over a network.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, firmware, orsource code. Examples of computer-readable media that may be used tostore instructions, information used, and/or information created duringmethods according to described examples include magnetic or opticaldisks, flash memory, USB devices provided with non-volatile memory,networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprisehardware, firmware and/or software, and can take any of a variety ofform factors. Some examples of such form factors include laptops, smartphones, small form factor personal computers, personal digitalassistants, rackmount devices, standalone devices, and so on.Functionality described herein also can be embodied in peripherals oradd-in cards. Such functionality can also be implemented on a circuitboard among different chips or different processes executing in a singledevice, by way of further example.

The instructions, media for conveying such instructions, computingresources for executing them, and other structures for supporting suchcomputing resources are means for providing the functions described inthese disclosures.

Although a variety of examples and other information was used to explainaspects within the scope of the appended claims, no limitation of theclaims should be implied based on particular features or arrangements insuch examples, as one of ordinary skill would be able to use theseexamples to derive a wide variety of implementations. Further andalthough some subject matter may have been described in languagespecific to examples of structural features and/or method steps, it isto be understood that the subject matter defined in the appended claimsis not necessarily limited to these described features or acts. Forexample, such functionality can be distributed differently or performedin components other than those identified herein. Rather, the describedfeatures and steps are disclosed as examples of components of systemsand methods within the scope of the appended claims.

The invention claimed is:
 1. A method performed by a first segmentrouting device, the method comprising: receiving, from a second segmentrouting device, a segment routing packet including a segment list and apacket destined for a container service, the segment routing listincluding a first segment associated with a first container of thecontainer service and a second segment associated with a secondcontainer of the container service, wherein the segment routing packetis generated by the second segment routing device; based on adetermination that the first container is unable to process the packet,updating the segment routing packet to identify the second segment as anext destination of the segment routing packet; rerouting the segmentrouting packet to the second segment associated with the secondcontainer of the container service; updating the segment list to includeone or more segments different from the first segment; and triggering aprogramming, by the first segment routing device, of the second segmentrouting device to reflect that a host of the first container isunreachable.
 2. The method of claim 1, wherein the determination thatthe first container is unable to process the packet comprises adetermination that a host of the first container is unreachable.
 3. Themethod of claim 1, wherein the packet is encapsulated with an outerInternet Protocol (IP) header and a segment routing header including thesegment routing list, and wherein rerouting the segment routing packetcomprises decapsulating the packet and forwarding the packet to adestination address in an inner IP header of the decapsulated packet. 4.The method of claim 1, wherein the first segment comprises a first hostof a first pod associated with the container service and the secondsegment comprises a second host of a second pod associated with thecontainer service.
 5. The method of claim 4, wherein the first podcomprises the first container and the second pod comprises the secondcontainer.
 6. The method of claim 1, wherein the segment routing packetis received via a segment routing device, the segment routing devicecomprising one of a virtual switch in a host of a third containerassociated with a current segment in the segment list or a networkdevice connected to the host.
 7. The method of claim 1, furthercomprising: receiving a second segment routing packet including a secondsegment list and a second packet destined for a second containerservice, the second segment routing list including a third segmentassociated with a third container of the second container service andone or more segments associated with a one or more containers of thesecond container service; and based on an additional determination thatthe third container is able to process the second packet, forwarding atleast one of the second segment routing packet or the second packet to ahost associated with the third segment.
 8. The method of claim 1,wherein the packet is encapsulated with an outer Internet Protocol (IP)header and a segment routing header including the segment list, andwherein the packet includes an IP header and a payload.
 9. The method ofclaim 8, wherein updating the segment routing packet to identify thesecond segment as the next destination of the segment routing packetcomprises updating the segment routing header and updating an IP addressin the outer IP header.
 10. A system comprising: one or more processors;and at least one computer-readable storage medium having stored thereininstructions which, when executed by the one or more processors, causethe one or more processors to: receive a segment routing packetincluding a segment list and a packet destined for a container service,the segment routing list including a first segment associated with afirst container of the container service and a second segment associatedwith a second container of the container service, wherein the segmentrouting packet is generated by a segment routing device; based on adetermination that the first container is unable to process the packet,update the segment routing packet to identify the second segment as anext destination of the segment routing packet; reroute the segmentrouting packet to the second segment associated with the secondcontainer of the container service; update the segment list to includeone or more segments different from the first segment and programmingthe segment routing device to reflect that a host of the first containeris unreachable.
 11. The system of claim 10, wherein the segment routingpacket comprises a binding segment identifier (BSID) for the containerservice, and wherein the BSID is associated with a segment routingpolicy.
 12. The system of claim 10, wherein one or more segments of thesegment list include a locator and a segment routing function.
 13. Thesystem of claim 10, wherein the determination that the first containeris unable to process the packet comprises a determination that a host ofthe first container is unreachable.
 14. The system of claim 10, whereinthe packet is encapsulated with an outer Internet Protocol (IP) headerand a segment routing header including the segment routing list, andwherein rerouting the segment routing packet comprises decapsulating thepacket and forwarding the packet to a destination address in an inner IPheader of the decapsulated packet.
 15. The system of claim 10, whereinthe first segment comprises a first host of a first pod associated withthe container service and the second segment comprises a second host ofa second pod associated with the container service.
 16. The system ofclaim 15, wherein the first pod comprises the first container and thesecond pod comprises the second container.
 17. The system of claim 10,wherein the instructions, when executed by the one or more processors,cause the one or more processors to: receive a second segment routingpacket including a second segment list and a second packet destined fora second container service, the second segment routing list including athird segment associated with a third container of the second containerservice and one or more segments associated with a one or morecontainers of the second container service; and based on an additionaldetermination that the third container is able to process the secondpacket, forward at least one of the second segment routing packet or thesecond packet to a host associated with the third segment.
 18. Anon-transitory computer-readable storage medium having stored thereininstructions which, when executed by one or more processors, cause theone or more processors to: receive a segment routing packet including asegment list and a packet destined for a container service, the segmentrouting list including a first segment associated with a first containerof the container service and a second segment associated with a secondcontainer of the container service, wherein the segment routing packetis generated by a segment routing device; based on a determination thatthe first container is unable to process the packet, update the segmentrouting packet to identify the second segment as a next destination ofthe segment routing packet; reroute the segment routing packet to thesecond segment associated with the second container of the containerservice; update the segment list to include one or more segmentsdifferent from the first segment and programming the segment routingdevice to reflect that a host of the first container is unreachable. 19.The non-transitory computer-readable storage medium of claim 18, whereinthe determination that the first container is unable to process thepacket comprises a determination that a host of the first container isunreachable.
 20. The non-transitory computer-readable storage medium ofclaim 18, wherein the instructions when executed further cause the oneor more processors to: instantiate the first container in a firstcontainer pod and the second container in a second container pod.